Closed Bug 1933369 Opened 3 months ago Closed 1 month ago

Report failures due to implementation limits to fuzzers for differential testing

Categories

(Core :: JavaScript: WebAssembly, task, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Version:
Firefox 133
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox136 --- fixed

People

(Reporter: tom.online1337, Assigned: rhunt)

References

Details

Attachments

(2 files)

1.js
4.16 KB, application/x-javascript
Details
Bug 1933369 - wasm: Report array limit error to fuzzers. r?bvisness
48 bytes, text/x-phabricator-request
Details | Review
Attached file 1.js

Steps to reproduce:

I encountered inconsistent behavior when running a WebAssembly module using different compiler settings in SpiderMonkey. The same WebAssembly module produces different runtime errors depending on whether the baseline or ion compiler is enabled.
SpiderMonkey Engine(Git 4f44c14a73993e4490646bde47eacbf2b9d267aa) (Linux, x64)

Actual results:

  1. Run the module with the baseline compiler:

    ./js --no-threads --fuzzing-safe --setpref=wasm_memory_control=true --setpref=wasm_js_string_builtins=true --wasm-compiler=baseline ./poc.js

    Output:

    ./poc.js line 2 > WebAssembly.Module:600:1 RuntimeError: too many array elements
Stack:
  @./poc.js line 2 > WebAssembly.Module:wasm-function[0]:0x258
  @./poc.js:5:1

  2. Run the module with the ion compiler:

    ./js --no-threads --fuzzing-safe --setpref=wasm_memory_control=true --setpref=wasm_js_string_builtins=true --wasm-compiler=ion ./poc.js

    Output:

    ./poc.js line 2 > WebAssembly.Module:622:1 RuntimeError: unaligned memory access
Stack:
  @./poc.js line 2 > WebAssembly.Module:wasm-function[0]:0x26e
  @./poc.js:5:1

Expected results:

The WebAssembly module should produce consistent runtime errors regardless of the compiler settings used. The discrepancy in errors (too many array elements vs unaligned memory access) suggests a potential bug in how the module is being interpreted or compiled.

Can you confirm this is not a duplicate of bug 1932062? See my comment there. Ion is able to eliminate array allocations that baseline is not able to. Those array allocations may fail, leading to differential execution.

Talking about this internally, we have other cases like this where we report this for fuzzers to look for [1]. We could start doing this for wasm arrays if that would help you filter out these examples.

[1] https://searchfox.org/mozilla-central/rev/6597dd03bad82c891d084eed25cafd0c85fb333e/js/src/vm/JSContext.cpp#355

Flags: needinfo?(tom.online1337)
Severity: -- → S3
Priority: -- → P3
See Also: → 1933370

Thank you for your detailed response and explanation! The clarification you provided makes a lot of sense, and the behavior difference between Ion and Baseline is indeed reasonable and aligns with the spec as you mentioned.
I also appreciate the suggestion regarding fuzzers and the effort to handle similar cases internally. It sounds like a solid approach to proactively identify and filter out such scenarios in the future.

Flags: needinfo?(tom.online1337)
Type: defect → task
Summary: Inconsistent WebAssembly RuntimeError: "too many array elements" vs "unaligned memory access" with different compiler settings → Report failures due to implementation limits to fuzzers for differential testing
Duplicate of this bug: 1933370
Assignee: nobody → rhunt
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Pushed by rhunt@eqrion.net: https://hg.mozilla.org/integration/autoland/rev/4ff4fa78badc wasm: Report array limit error to fuzzers. r=bvisness

https://hg.mozilla.org/mozilla-central/rev/4ff4fa78badc

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox136: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Regressions: 1943707
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: